We would like to partially manage Okta via Terraform which is executed within Gitlab Pipelines. This requires a secure authentication method to Okta’s API. For AWS and GCP we use OpenID Connect (there’s an example anyone can view in Gitlab’s docs called “Configure OpenID Connect in AWS to retrieve temporary credentials”) which utilizes Gitlab’s ID tokens to retrieve access tokens. Is this kind of authentication flow possible with Okta (forgive me if there’s an obvious answer, my Okta knowledge is limited)? If so, these are the main questions:
What Okta features/resources should we know about when setting this up?
How would we limit access to certain Gitlab groups/projects?
To clarify I need to add Gitlab OIDC identity provider to Okta like I did for AWS. However the setup is quite different. All AWS requires is the provider URL and the audience (which I assume is just different naming for the client ID). This is not the case with Okta. It requires additional things like client secret and so on. Perhaps I’m looking at the wrong place (Security > Identity Provider > Add OIDC identity provider)?
Hi,
Did you try to add it as a generic OIDC Idp or with the Gitlab Idp template ?
The informations needed like client secret have to be found in Gitlab. I am not familiar with the Gitlab interface but the process’s documentation is here :
Recently got a response from Okta support about this. You are correct, creating an OIDC IdP be the way to do it, however Okta support noted that unlike AWS/GCP/Azure adding an OIDC IdP without client credentials is not possible. Afaik Gitlab doesn’t expose this data. I’ll most likely raise a feature request to support IdP configuration like in AWS/GCP/Azure. But for now the answer would be that it’s not possible to do so.